My logline would look like this
2018-03-09 16:12:20,315 INFO [com.sample.teste.TestClass] (https-express.sample.com-433-8) {my-name-1=my-value-1, my-name-2=my-value-2} Testing logger
And I have pipeline config as
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} *\[%{JAVACLASS:logger}\] \(%{GREEDYDATA:thread}\) \{%{GREEDYDATA:mdc}\} %{GREEDYDATA:message}"}
overwrite => [ "message" ]
}
mutate {
split => { "mdc" => "," }
}
}
And the output of that field in elasticsearch is
"mdc": [
"my-name-1=my-value-1",
" my-name-2=my-value-2"
],
Is it possible to parse and store this field as an array of objects instead? Like this
"mdc": [
{
"name": "my-name-1",
"value": "my-value-1"
},
{
"name": "my-name-2",
"value": "my-value-2"
}
]